[tex-live] question about archive naming scheme

Norbert Preining preining at logic.at
Tue Sep 21 07:29:44 CEST 2010 

So to come back to that...

> > http://tim.oreilly.com/pub/a/onlamp/2005/03/31/packaging.html

which presents some very nice ideas for upstream, which in our case
would be the TeX packagers, we would happy to have ourself.
But as we are distributing, *we* are the packagers in the terminology
pf that article, this does not apply!

QUote
------------------
    * Avoid modifying published distfiles. Once you have made a distfile available, never modify it. Even if it includes a stupid bug, don't touch it; instead, publish a new version.

      Rationale: Many packaging systems store cryptographic digests of the distfiles they use in the source packages. This helps verify that no third party has modified the package since its creation. If you change a distfile, you will break the package because the digest test will fail. The maintainer has to check why the test fails, to ensure that there are no malicious changes--not an easy task.

The files and md5sums of the *published* TeX Live 2010 as distributed
inthe ISO image or release tar balls do not change. If it is that what
you need, it is fine.

    * Avoid moving published distfiles. Once you have published a distfile and distributed its URL, don't remove it from the server or move it around. If you must do it, it would be nice if you contacted all known package maintainers to let them know this issue.

      Rationale: Many source packages download distfiles from their original sites; if the file is moved or removed, the fetch process will fail and the package will be broken. This isn't difficult to fix, but it opens a time window during which people cannot download the package.


So that would mean that we should keep for *EVERY* day one copy of
the tlnet archive, which is 2Gb. Umpf. Even with hard links in very
short time every CTAN node will send us a nice letter: "Thanks for working
on TeX Live, but we cannot distribute it anymore".

This is not what we want, what anyone wnats.

If you want it, set up a cron job that rsyncs at any given time
after our sync and create your own history of tlnet per day, and store it
whereever you can.

    * Always use versioned distfiles. The distfile's name must always include a version string identifying it, whether a version number or a timestamp. If you want a static name that refers to the latest version, use a symbolic link on your sever pointing to the full name.

      Rationale: This is very similar to the modification of published distfiles described above. If you replace a distfile with one containing a new version, you implicitly break the cryptographic digests stored in source packages.

The only cryptographic digest that are reasonable are the one in the
texlive.tlpdb. Whatever you store on your BSD distribution ystem 
has to use a different approach. Or, as said already several times, 
repackage the original .tar.xz on a daily basis and put them on one
of your servers.

    * Do not include prebuilt files in your distfile. Be sure that your distfile does not contain prebuilt files that are OS- or architecture-specific. For example, it is erroneous to include a prebuilt object file, but correct to include a Lex-generated C source file.

      Rationale: When building on operating systems and/or architectures different from yours, those files will not be built again because the rebuild rules will not fire. They will cause strange errors later, as their format will be incorrect.


Also a nice idea, but only for package writers, but we are distributors,
so this does not apply to us. None of the many TeX Live users who
happily installed TL over the network want to run the installation
routines for each and every package (2000+) by hand themselves?

---------------------


So this article simply as as useful for us as .... I don't want to say.

I guess what I will do, that is the only positive input you provided,
to allow signed release files, so that the texlive.tlpdb, or the
texlive.tlpdb.md5 is signed with some (to be generated) gpg key.
I will discuss that internally, but I am not sure if others of the 
team actually see the need for it (I don't see it either).

So, I hope that slowly you get an impression about what you are dealing
with with TeX Live. If you have any question concerning our infrastructure,
the system, whatever, you are invited to come back, but please stop
trying to push your distribution ideas onto us, thanks.

Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
BLEAN
Scientific measure of luminosity : 1 glimmer = 100,000
bleans. Usherettes' torches are designed to produce between 2.5 and 4
bleans, enabling them to assist you in falling downstairs, treading on
people or putting your hand into a Neapolitan tub when reaching for
change.
			--- Douglas Adams, The Meaning of Liff

More information about the tex-live mailing list